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This listing of claims will replace all prior versions, and listings, of claims in the application. 
Listing of Claims: 

1 . (Canceled) 

2. (Canceled) 

3. (Currently Amended) A method of detecting surveillance probes on a 
computer communications network, comprising: 

receiving a plurality of messages from a data sensor[[,]] located at a network audit 
point, that samples said data sensor sampling data packets on said computer communications 
network and outputs outputting said messages, each of said messages describing an event 
occurring on said communications network; 

processing said messages to form extrapolated connection sessions from said sampled 
data packets from which to determine a connection source for each message by clustering 
packets a) exchanged between two addresses within a specified time period where the 
addresses are not predetermined^ er (b) having certain flags set^ or c) having addresses that 
are not predetermined but have similar characteristics; and 

detecting a surveillance probe by: 

grouping said connection sessions into a plurality of groups of related 

connection source addresses ; 

scoring each group based on at least a quantity of attack destinations ; and 
generating an alert for each group whose score is greater than an empirically 

derived threshold. 

4. (Canceled) 

5. (Currently Amended) The method of claim 3, further comprising controlling 
false positive detections of a surveillance probe vs. false negative detections of a surveillance 
probe . 
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6. (Previously Presented) The method of claim 3, further comprising generating 
a profile of surveillance activity, said profile of surveillance activity comprising one or more 
of the following: 

a breakdown of probes; 

a number of attackers; 

a number of attacks per unit time; 

a percentage of activity that constitutes malicious surveillance; 
a breakdown of source country frequencies; 
the most frequently-targeted network addresses; and 
temporal frequency trends of individual attackers. 

7. (Previously Presented) The method of claim 3, further comprising processing 
one or more of said detected surveillance probes to produce a detected surveillance scan, said 
processing of one or more of said detected surveillance probes to produce a detected 
surveillance scan comprising one or more of the following: 

modeling and detecting surveillance scans as a series of surveillance probes that 
originate from one or more source addresses and that are sent to one or more destination 
addresses; 

modeling and detecting surveillance scans performed by a particular source address 
by identifying a particular source address that sends more than a specified number of probes; 

modeling and detecting surveillance scans performed by a particular source address 
by identifying a source address that generates more than a specified number of probes within 
a specified time period; 

modeling and detecting surveillance scans performed by one source IP address by 
identifying a source address that sends probes to more than a specified number of 
destinations; 

modeling and detecting surveillance scans performed by a particular source address 
by identifying a source address that sends probes to a specified set of destinations; 

modeling and detecting surveillance scans performed by a particular source address 
by identifying a source address that sends probes to specified ports; and 
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modeling and detecting surveillance scans performed by a particular source address 
by identifying a source address that sends probes to a number of destinations in excess of a 
specified limit within a specified time period. 

8. (Currently Amended) The method of claim 7, further comprising controlling 
false positive detections of a surveillance probe vs. false negative detections of a surveillance 
probe . 

9. (Previously Presented) The method of claim 7, further comprising generating 
a profile of surveillance activity, said profile of surveillance activity comprising one or more 
of the following: 

a breakdown of probes; 

a breakdown of scans; 

a number of attackers; 

a number of attacks per unit time; 

a percentage of activity that constitutes malicious surveillance; 
a breakdown of source country frequencies; 
the most frequently-targeted network addresses; and 
temporal frequency trends of individual attackers. 

10. (Previously Presented) The method of claim 7, further comprising processing 
one or more of said detected surveillance scans to detect a group of scanning hosts, said 
processing of one or more of said detected surveillance scans to detect a group of scanning 
hosts comprising: 

modeling and detecting scans distributed across a series of source addresses by 
grouping addresses, said grouping of addresses being performed by subtracting one address 
from another and placing the two addresses in the same group if the difference is less than a 
specified amount. 
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11. (Currently Amended) The method of claim 10, further comprising controlling 
false positive detections of a surveillance probe vs. false negative detections of a surveillance 
probe . 

12. (Previously Presented) The method of claim 10, further comprising 
generating a profile of surveillance activity, said profile of surveillance activity comprising 
one or more of the following: 

a breakdown of probes; 

a breakdown of scans; 

a number of attackers; 

a number of attacks per unit time; 

a percentage of activity that constitutes malicious surveillance; 
a breakdown of source country frequencies; 
the most frequently-targeted network addresses; and 
temporal frequency trends of individual attackers. 

13. (Canceled) 

14. (Canceled) 

15. (Canceled) 

16. (Canceled) 

17. (Canceled) 

18. (Canceled) 

19. (Currently Amended) The method of claim 3 wherein the steps of processing 

said messages to form extrapolated connection sessions and detecting a surveillance probe 

further comprises at least one of the following steps: 
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identifying packets that have a particular arrangement of flags set; 
identifying packets that have all flags set; 

identifying packets that have payloads smaller than a predetermined size; 
identifying packets to which there is no response. 

20. (Currently Amended) The method of claim 3 wherein the steps of processing 
said messages to form extrapolated connection sessions and detecting a surveillance probe 
further comprises at least one of the following steps: 

identifying detected connections with fewer packets than a predetermined limit; 
identifying detected connections with packets that have traveled only from a source to 
a destination; 

identifying detected connections with packets that have traveled only from the 
destination to the source; and 

identifying detected connections with packets whose payloads are smaller than a 
predetermined limit 

21 . (Previously Presented) The method of claim 7 further comprising the steps of: 
limiting the number of detected scans by reporting only source addresses that perform 

more than a specified number of probes within a specified time; and 

limiting the number of detected scans by reporting only source address groups that 
perform more than a specified number of probes within a specified time. 

22. (Currently Amended) A system for detecting surveillance probes on a 
computer communications network, comprising: 

a data sensor located at a network audit point adapted to sample data packets on said 
computer communications network and to output messages, each of said messages describing 
an event occurring on said communications network; and 

a processor that processes said messages to form extrapolated connection sessions 

from said sampled data packets from which to determine a connection source for each 

message by clustering packets a) exchanged between two addresses within a specified time 

period where the addresses are not predetermined^ er (b) having certain flags set^ or c) having 

Page 6 of 15 



DOCKET NO.: TCS-0008 PATENT 

Application No.: 10/620,156 

Office Action Dated: December 4, 2008 

addresses that are not predetermined but have similar characteristics, and that detects a 
surveillance probe by grouping said connection sessions into a plurality of groups of related 
connection source addresses , scoring each group based on at least a quantity of attack 
destinations , and generating an alert for each group whose score is greater than an empirically 
derived threshold. 

23. (Previously Presented) The system of claim 22, wherein said processor further 
generates a profile of surveillance activity comprising one or more of the following: 

a breakdown of probes; 

a number of attackers; 

a number of attacks per unit time; 

a percentage of activity that constitutes malicious surveillance; 
a breakdown of source country frequencies; 
the most frequently-targeted network addresses; and 
temporal frequency trends of individual attackers. 

24. (Previously Presented) The system of claim 22, wherein said processor further 
processes one or more of said detected surveillance probes to produce a detected surveillance 
scan by performing one or more of the following steps: 

modeling and detecting surveillance scans as a series of surveillance probes that 
originate from one or more source addresses and that are sent to one or more destination 
addresses; 

modeling and detecting surveillance scans performed by a particular source address 
by identifying a particular source address that sends more than a specified number of probes; 

modeling and detecting surveillance scans performed by a particular source address 
by identifying a source address that generates more than a specified number of probes within 
a specified time period; 

modeling and detecting surveillance scans performed by one source IP address by 
identifying a source address that sends probes to more than a specified number of 
destinations; 
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modeling and detecting surveillance scans performed by a particular source address 
by identifying a source address that sends probes to a specified set of destinations; 

modeling and detecting surveillance scans performed by a particular source address 
by identifying a source address that sends probes to specified ports; and 

modeling and detecting surveillance scans performed by a particular source address 
by identifying a source address that sends probes to a number of destinations in excess of a 
specified limit within a specified time period. 

25. (Previously Presented) The system of claim 24, wherein said processor further 
processes one or more of said detected surveillance scans to detect a group of scanning hosts 
by modeling and detecting scans distributed across a series of source addresses by grouping 
addresses, said grouping of addresses being performed by subtracting one address from 
another and placing the two addresses in the same group if the difference is less than a 
specified amount. 

26. (Previously Presented) The system of claim 22 wherein the processor is also 
programmed to perform at least one of the following steps: 

identifying packets that have a particular arrangement of flags set; 
identifying packets that have all flags set; 

identifying packets that have payloads smaller than a predetermined size; 
identifying packets to which there is no response. 

27. (Currently Amended) The system of claim 22 wherein the processor is further 
programmed to perform at least one of the following steps: 

identifying detected connections with fewer packets than a predetermined limit; 
identifying detected connections with packets that have traveled only from a source to 
a destination; 

identifying detected connections with packets that have traveled only from the 
destination to the source; and 

identifying detected connections with packets whose payloads are smaller than a 
predetermined limit 
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28. (Previously Presented) The system of claim 24 wherein the processor is 
further programmed to perform the steps of: 

limiting the number of detected scans by reporting only source addresses that perform 
more than a specified number of probes within a specified time; and 

limiting the number of detected scans by reporting only source address groups that 
perform more than a specified number of probes within a specified time. 
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